4. August 2019

How to download invalid or self-signed HTTPS certificate without OpenSSL by using Google Chrome

When you need to acquire a public server certificate in PEM format from a web server and you do not have OpenSSL tools then you can use one “hidden” feature of Google Chrome.

Just open HTTPS URL in Google Chrome. You’ll see an error:

Your connection is not private.

Do not click on Advanced or Reload.

Just click letters NET::ERR_CERT_COMMON_NAME_INVALID and PEM certificate will appear directly in the browser.

Now you can copy PEM encoded chain and paste it to your text editor.

24. July 2014

couriertls: /etc/courier/esmtpd.pem: error:0906D06C:PEM routines:PEM_read_bio:no start line

After upgrade of Linux distribution Courier stopped to accept emails delivered over TLS or SSL.

There was just nice error message in the log file:

couriertls: /etc/courier/esmtpd.pem: error:0906D06C:PEM routines:PEM_read_bio:no start line

Long story short. The problem was in pem file.

Previous versions of Courier-SSL were able to read files with Windows EOL. The new version is failing with this nice error.

Solution is simple: get rid of Windos EOL.

You can use e.g. dos2unix

dos2unix esmptd.pem

Restart services and everything will work :)

22. September 2013

Deploy Spring application by Maven to Tomcat7 via HTTPS – PKIX problem

Simple scenario: deploy spring application to remote server which has https management interface.

Easy task. When you have properly configured project with pom.xml then you can use tomcat7 plugin for Maven.

Part of pom.xml

  <!-- username and password must be set in ~/.m2/settings.xml -->
  <!-- URL where Maven can find Tomcat 7 Manager -->

Just run:

mvn tomcat7:deploy

Upload fails with error message:

PKIX path building failed

Ups. Not that easy? :)
The problem is that Java does not trust certificate of remote server.

Here is how to fix PKIX issue in Windows.

Open url of remote server by Firefox and save certificate to file.

Run PowerShell as administrator.

Go to directory with JDK cacets and import certificate. Default password is “changeit“.

cd C:\Program Files\Java\jdk1.7.0_40\jre\lib\security
keytool -import -alias test.sinusgear.com -keystore cacerts -file C:\Users\georgik\Documents\test.sinusgear.com

Done. Now you can start mvn tomcat7:deploy again.

10. January 2012

Debian Tomcat 7 – the trustAnchors parameter must be non-empty

I was deploying application on Tomcat7/OpenJDK. This application was accessing further secure services like SMTPS and HTTPS.

Tomcat was complaining that certificates are not correct (PKIX): the trustAnchors parameter must be non-empty.

Solution for Debian was quite easy after I found correct path to cacerts. Java cacerts for OpenJDK are stored in file: /etc/ssl/certs/java/cacerts.

To import certificate it is sufficient to use keytool:

keytool -import -keystore /etc/ssl/certs/java/cacerts -file cert.pem \
-alias ci.sinusgear.com

Then I restarted Tomcat and problem with trustAnchors disappeared.